Communication To Uncommon Destination Ports

 1title: Communication To Uncommon Destination Ports
 2id: 6d8c3d20-a5e1-494f-8412-4571d716cf5c
 3related:
 4    - id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
 5      type: similar
 6status: test
 7description: Detects programs that connect to uncommon destination ports
 8references:
 9    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
10author: Florian Roth (Nextron Systems)
11date: 2017/03/19
12modified: 2024/03/12
13tags:
14    - attack.persistence
15    - attack.command_and_control
16    - attack.t1571
17logsource:
18    category: network_connection
19    product: windows
20detection:
21    selection:
22        Initiated: 'true'
23        DestinationPort:
24            - 8080
25            - 8888
26    filter_main_local_ranges:
27        DestinationIp|cidr:
28            - '127.0.0.0/8'
29            - '10.0.0.0/8'
30            - '172.16.0.0/12'
31            - '192.168.0.0/16'
32            - '169.254.0.0/16'
33            - '::1/128'  # IPv6 loopback
34            - 'fe80::/10'  # IPv6 link-local addresses
35            - 'fc00::/7'  # IPv6 private addresses
36    filter_optional_sys_directories:
37        Image|startswith:
38            - 'C:\Program Files\'
39            - 'C:\Program Files (x86)\'
40    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
41falsepositives:
42    - Unknown
43level: medium